The South Carolina Department of Revenue is located on Gervais Street in Columbia. Thursday, October 25, 2012. / Heidi Heilbrunn/Staff

Written by

Staff writer

COLUMBIA -- The costs related to a data breach at the state Department of Revenue is expected to exceed $20 million.

The agency is asking for a $20 million inter-agency loan from the State Budget and Control Board to cover expenses related to the massive data breach at the Department of Revenue in September, according to documents for the budget board’s meeting on Wednesday.

The documents don’t show a breakdown for the $20.1 million.

However, Rob Godfrey, a spokesman for Gov. Nikki Haley, who chairs the board, said the amount includes money for Experian, a credit monitoring service.

“It also includes remediation measures, such as dual authentication and encryption, and it also includes the cost of mailing notification letters,” he said.

At the time of the September hacking, officials have said, the agency didn’t encrypt all its data and used a single password system.

Experts say the agency could have reduced its chances of a breach had it used a double-password system to gain access to the system and encrypted all its data, as the tax agencies in North Carolina and Georgia do.

The dual-authentication system is expected to cost about $25,000, Jim Etter, the Department of Revenue’s director, has told senators.

He said when officials looked at the idea of encrypting all its data several years ago, the cost was estimated to be about $5 million. Etter said officials at the time considered the $5 million not to be cost effective.

Officials have said other costs related to the breach include expenses for Mandiant, the private cyber security firm hired to investigate the breach and suggest solutions, and for fees for a public relations firm and for a private law firm.

Haley had previously disclosed that the state’s contract with Experian was for $12 million to cover credit monitoring for all affected taxpayers and their dependents for a year, as well as fraud resolution assistance for life for taxpayers.

Credit monitoring for businesses also is offered through Experian and through Dun and Bradstreet Credibility Corp, which isn’t charging for its service.

(Page 2 of 2)

Rep. Bruce Bannister of Greenville, the House majority leader and chairman of a special House committee examining the breach, said he thinks it is reasonable to take steps to respond to the hacking and to arrange for a means to pay for it, even if the Legislature eventually has to allocate the funds next year.

“It is certainly smart for the governor to take those steps necessary to deal with the problem,” he said, “including sending out the notices and fixing the system so that it can’t be accessed, while the Legislature figures out how much and when we want to pay for the repairs.

“If we decide some agency budgets need to be cut, rather than additional money allocated, that’s something we’ve got to look at in January. But it’s certainly a new priority.”

The agenda lists other agencies that have requested loans over the years from the board. The biggest loan previously was for $9.2 million, according to the documents, to the state Patriots Point Development Authority in 2009 for repairs to the U.S.S. Laffey.

Lawmakers are expected to discuss how to pay for the expenses when they return to Columbia in January for a new legislative session.

Already two legislative committees -- one in the Senate and one in the House -- are investigating the breach and how it happened, as well as how to increase computer security throughout state government.

The data breach exposed 3.8 million Social Security numbers, 3.3 million checking account numbers and information for almost 700,000 businesses.

Also on the agenda for the State Budget and Control Board is a request for the board to authorize the state to seek a private vendor to help develop a statewide information security and risk management program.

The cost for the vendor and development of the program is to be paid for by excess appropriations for the current fiscal year, according to the proposal as detailed in the agenda.